CVE-2023-53728
Description
In the Linux kernel, the following vulnerability has been resolved:
posix-timers: Ensure timer ID search-loop limit is valid
posix_timer_add() tries to allocate a posix timer ID by starting from the cached ID which was stored by the last successful allocation.
This is done in a loop searching the ID space for a free slot one by one. The loop has to terminate when the search wrapped around to the starting point.
But that's racy vs. establishing the starting point. That is read out lockless, which leads to the following problem:
CPU0 CPU1 posix_timer_add() start = sig->posix_timer_id; lock(hash_lock); ... posix_timer_add() if (++sig->posix_timer_id < 0) start = sig->posix_timer_id; sig->posix_timer_id = 0;
So CPU1 can observe a negative start value, i.e. -1, and the loop break never happens because the condition can never be true:
if (sig->posix_timer_id == start) break;
While this is unlikely to ever turn into an endless loop as the ID space is huge (INT_MAX), the racy read of the start value caught the attention of KCSAN and Dmitry unearthed that incorrectness.
Rewrite it so that all id operations are under the hash lock.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in the Linux kernel's posix_timer_add() can cause an infinite loop during timer ID allocation, leading to a denial of service.
Vulnerability
Description
CVE-2023-53728 is a race condition vulnerability in the Linux kernel's posix_timer_add() function, which allocates IDs for POSIX timers. The issue arises because the starting point for the ID search loop is read without proper locking, allowing a concurrent allocation to modify the cached ID value, potentially setting it to -1 [1]. This can prevent the loop termination condition from ever being true, leading to a soft lockup or denial of service.
Exploitation
An attacker can exploit this race condition by triggering concurrent POSIX timer creation from multiple threads or processes, causing CPU0 to read a stale or negative start value from sig->posix_timer_id. While the probability of a successful abuse is low due to the large ID space constraints, it is possible to consistently cause a soft lockup or hang [2]. No special privileges are required beyond the ability to create POSIX timers.
Impact
Successful exploitation results in a denial of service (DoS), as the affected CPU may enter an infinite loop, degrading system performance or causing a complete hang. The vulnerability does not lead to information disclosure or privilege escalation [3].
Mitigation
The fix, merged into the Linux kernel stable branches, ensures that all ID operations are performed under the hash lock, preventing the race condition [1][2]. Users should update to the latest kernel containing commit ef535e0315af or equivalent backports. No workaround is available without applying the patch.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
88dc52c200b889ea26a8494a08ad6679a5bb9322377cc909def535e0315af6a0ac84501b437175e25edf78ce8849dd1e7Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/322377cc909defcca9451487484845e7e1d20d1bnvd
- git.kernel.org/stable/c/37175e25edf7cc0d5a2cd2c2a1cbe2dcbf4a1937nvd
- git.kernel.org/stable/c/6a0ac84501b4fec73a1a823c55cf13584c43f418nvd
- git.kernel.org/stable/c/8ad6679a5bb97cdb3e14942729292b4bfcc0e223nvd
- git.kernel.org/stable/c/8ce8849dd1e78dadcee0ec9acbd259d239b7069fnvd
- git.kernel.org/stable/c/8dc52c200b889bc1cb34288fbf623d4ff381d2aenvd
- git.kernel.org/stable/c/9ea26a8494a0a9337e7415eafd6f3ed940327dc5nvd
- git.kernel.org/stable/c/ef535e0315afd098c4beb1da364847eca4b56a20nvd
News mentions
0No linked articles in our index yet.